Woe is the PHP hosting provider that thinks leaving register_globals on is a good thing. At lunch today, the PICnet gang was chatting about security vulnerabilities that were occuring in many Joomla 3rd party components. The problem is that our wonderful Joomla core was taking flack for not being secure, but at the end of the day all the hacks seemed to be occuring because of poor programming and server hosts leaving on the dreaded “register_globals” on their servers.
I mean, this is PHP hosting 101, right?
Unfortunately, one of our great clients had a server that had register_globals turned on, and the hacker took full advantage. Moral of the story, please, please, check to make sure that register_globals is turned off. If your hosting provider has it turned on, turn and run the other way.
- harden php.ini
- magic_quotes_gpc = On
- register_globals = Off
- create a /tmp partition
- create honeytokens
- chrooting apache/php
- use mod_security
- swatch to monitor your log files
- disable extensions you don’t need
Nonprofit news, strategy, and tactics sent straight to your inbox
Sign up for the Soapbox Engage newsletter
This entry was posted on Tuesday, August 22nd, 2006 at 11:44 pm and is filed under Joomla, PHP, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.